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A number of extensions exist for Alternating-time Temporal Logic; some of these mix strategies and 
partial observability but, to the best of our knowledge, no work provides a unified framework for 
strategies, partial observability and fairness constraints. In this paper we propose ATLKp () , a logic 
mixing strategies under partial observability and epistemic properties of agents in a system with 
fairness constraints on states, and we provide a model checking algorithm for it. 

1 Introduction 

A number of extensions exist for Alternating-time Temporal Logic; starting from [7 1, partial observability 
has been investigated by many authors, see for instance [8] and references therein. But, to the best of 
our knowledge, no work provides a unified framework for strategies, partial observability and fairness 
constraints. For example, Jamroga and van der Hoek proposed, among other logics, ATOL, mixing 
partial observability with strategies of agents [10]. Along the same lines, Schobbens studied ATL,y |fl4ll . 
seen as the minimal ATL-based logic for strategies under partial observability [9]. On the other hand, 
some efforts have been made on bringing fairness to ATL. For instance the work of Alur et al. |Q3, or 
the work of Kluppelholz and Baier [11] introduce the notion of fairness constraints on actions, asking 
for an infinitely often enabled action to be taken infinitely often. For temporal and epistemic logics, 
however, fairness conditions are normally provided on states. Furthermore, it has been shown that (weak, 
strong or unconditional) fairness constraints on actions, can be reduced to (weak, strong or unconditional, 
respectively) fairness constraints on states (see [0, for instance). In this paper we propose ATLKp , a 
logic mixing strategies under partial observability and epistemic properties of agents in a system with 
unconditional fairness constraints on states, and we provide a model checking algorithm for it. 

To motivate the need for fairness constraints in ATL under partial observability, consider the simple 
card game example in [10]. The game is played between a player and a dealer. It uses three cards, A, 
K and Q; A wins over K, K wins over Q and Q wins over A. First, the dealer gives one card to the 
player, keeps one and leaves the last one on table. Then the player can keep his card or swap it with 
the one on the table. The player wins if his card wins over the dealer's card. Under ATL ir semantics, 
the player cannot win the game: he cannot distinguish between, for example, < A,K > and < A,Q > 
(where < a,b > means "player has card a, dealer has card b") and thus has to make the same action in 
both states, with a different result in each case. Consider now a variation of this game: the game does 
not terminate after the first round. Instead, if the player does not win, cards are redistributed. In this case, 
too, the player cannot win the game: for instance, he will have to choose between keeping or swapping 
cards in < A,K > and < A,Q >, so he won't be able to enforce a win because the dealer (that chooses 
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the given cards) can be unfair and always give the losing pair. But if we add one fairness constraint per 
intermediate state — i.e. the states in which the player has to choose between swapping or keeping — the 
player has a strategy to finally win the game. In this case, we only consider paths along which all fairness 
constraints are met infinitely often: this situation corresponds to a fair dealer, giving the cards randomly. 
The player can thus finally win because < A, K > will eventually happen — even if he cannot distinguish 
it from < A, Q > — , so he knows a strategy to win at least a round: keeping his card. 

Another example of application of fairness constraints in ATL is Multi- Agent Programs [5 ]. These 
programs are composed of interleaved agent programs and fairness constraints are used to avoid unfair 
interleaving. Dastani and Jamroga express fairness as formulae of the logic ATL* [5]; in this paper, 
instead, we deal only with ATL and therefore fairness constraints cannot be expressed as formulae of the 
logic. The situation is similar to the case of LTL versus CTL model checking: in the first case model 
checking fairness is reduced to model checking a more complex formula using the same verification 
algorithms; in the second case fairness is incorporated into bespoke verification algorithms. In our work 
we chose ATL over ATL* because of complexity considerations (see Section [3]). 

The rest of the paper is structured as follows: Section [2]presents the syntax and semantics of ATLK F () 
and Section [3] presents two model checking algorithms for the logic. Finally, Section [4] summarizes the 
contribution and draws some future work. 

2 Syntax and Semantics 

This section presents the syntax and semantics of ATLK F , an extension of ATL with partial observability 
under fairness constraints on states. An extension with full observability under the same fairness con- 
straints ATLK F Q is also presented because the model checking algorithm for ATLK F po relies on the one 
for ATLK F fo . 

Syntax Both logics share the same syntax, composed of the standard Boolean connectors (V, A, ->, 
etc.), CTL operators (EX, EU, EG, etc.) H, knowledge operators (K ag , Er, Dr, Cr) @ and strategic 
operators ({T)X, (T)G, (T)U, {F)W and their [r] counterparts) CD. 

Models and notation ATLK F () and ATLK F formulae are interpreted over models M = (Ag, S,Act, T, I, 
{~,-},V,F) where (1) Ag is a set of n agents; (2) S = S\ x ... x S n is a set of global states, each of which is 
composed of n local states, one for each agent; (3) Act = Act\ x . . . x Act n is a set of joint actions, each of 
which is composed of n actions, one for each agent; (4) T C 5 x Act x S is a transition relation between 
states in S and labelled with joint actions (we write s — > s' if (s, a,s') G T); (5) / C S is the a set of initial 
states; (6) {~,} is a set of equivalence relations between states, and ~, partitions the set of states in terms 
of knowledge of agent i — s ~; s' iff Sj = s\, i.e two states are indistinguishable for agent i if they share 
the same local state for i; (7) V : 5 — > 2 AP labels states with atomic propositions of AP; (8) F C 2 s is a 
set of fairness constraints, each of which is a subset of states. 

A joint action a = (a\,...,a n ) completes a partially joint action «r = composed of actions 

of agents in T C Ag — written ap E a — if actions in a for agents in T correspond to actions in ar- Further- 
more, we define the function img : S xAct — > 2 s as img(s,a) = {s' € S\s A- s'}, i.e. img(s,a) is the set of 
states reachable in one step from s through a. 

A model M represents a non-deterministic system where each agent has an imperfect information 
about the current global state. One restriction is made on T: Vs,s' £ S,s ~, s' => enabled (s,i) = 
enabledis' ,i) where enabled(s,i) = {a,- € Actj\3s' E S,a E Act s.t. (a;) CaAiA s'}. This means that 
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the actions an agent can perform in two epistemically equivalent states are the same. The enabled 
function is straightforwardly extended to groups of agents. 

A path in a model M is a sequence % = so s\ ••• of elements of T. We use Tt{d) for Sd- A 
state s is reachable in M if there exist a path % and d > such that 7r(0) G / and n(d) = s. A path 7T is 
/az'r according to a set of fairness conditions F = {f\, ...,/&} if for each fairness condition /, there exist 
infinitely many positions d > such that 7r(c/) G /. A state s is fair if there exists a fair path starting at s. 

A strategy for agent i is a function fiiS—l Act\ where, for any state s, fi{s) G enabled (s, /); a strategy 
maps each state to an enabled action. We call these strategies global strategies. A uniform strategy for 
agent i is a global strategy f where \/s,s' G S,s' ~ ( s f(s) = f{s'), i.e. agent i cannot choose two 
different actions for two indistinguishable states. The strategy outcomes from a state s for a strategy 
denoted with out(s,f), is the set of paths a strategy can enforce, i.e. out(s,f) = {it = sq — ^» *i...|jq = 
s A > 0,Srf+i G img(sd,a.d+\) A (fi(sd)) E aj+i}- The definition of outcomes is naturally extended to 
sets of strategies for a subset of agents. 



Semantics The semantics of both logics are defined over states of a model M by defining the relations 
M,s \= F <p and M,s \= F po <p, for ATLKj and ATLKp , respectively. M can be omitted when clear from 
the context. Both relations share a part of their semantics; we write s \= F if s \= F a <p and s \= F po ty. The 
s \= F <j) and s \= F po <p relations are recursively defined over the structure of <p and follow the standard 
interpretation for most of the operators, s \= F p if p G V(s); V and -i are interpreted in the natural way. 
s \= F K{<p if is true in all fair reachable states indistinguishable from s for agent i, s \= F Ey§ if all 
agents in Y know 0, s \= F Dr<p if, by putting all their knowledge in common, agents of T would know </>, 
and s \= F Cr<p if <p is common knowledge among agents of T [6]. s \= F Ey if there is a path % starting 
at s satisfying \\f, 71 \= F Xtp if 7i(l) satisfies 0, % |= F <p\U<p2 if <pi is true along the path until 02 is true, 
K \= if <j) is always true along n, and n \= 0iW02 if n \= {QiUfa) VG0i H. 
The meaning of the (r) operator is different in the two semantics: 

(i) s \= F o (r) y iff there exists a set of global strategies fr, one for each agent in T, such that for all fair 
paths % G out(s,f r ),7i \= F iff; 

(ii) s \= F (r)\j/ iff there exists a set of uniform strategies fr, one for each agent in T, such that for all 
s' ~r s, for all fair paths n G out(s' ,fr),n \= F iff- 

The [r] operator is the dual of (r): s \= F [F]y iff s \= F 



3 Model Checking ATLK F fo and ATLK^ 

Model checking ATLK F o The model checking algorithm for ATLK F Q is defined by the function [.J F a : 
ATLK F () — > 2 s returning the set of states of a given model M satisfying a given ATLK F property. This 
function is defined in the standard way for Boolean connectors, CTL and knowledge operators H [T3l . 
The [r] operators are evaluated as follows: 

l[r}X^ F fo = Pre {r] (l<l>Y fo nFair [r] ) 
{[mu^ffo = MZ-(M/ nFair [r] )U(Mj o nPre [r] (Z)) 

l\r]G(j>f f0 = vz.W^n H ^(^.(Zn/jUd^l^nPrqr^F))) 

f[r u wl F _ vZ.(M F o nFa/r [r] ) 

Hi mf0 u nn/eF p re[rl(M7 . (M F nFflfir|n) u (zn/) u ([^n^CT)))) 
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where Pre^\(Z) = {s\\/ar G enabled(s,F),3a s.t. a Y Qa Aimg(s,a) flZ / 0} and Fa/r^j = [[r]G true\ F f - 
jJ.Z.z(Z) and vZ.t(Z) are the least and greatest fix points of function t(Z). Intuitively, the /Vern(Z) 
operator returns the set of states in which T cannot avoid to reach a state of Z. Thus, [[r]G0]y o returns 
the set of states in which F cannot avoid a path of states of [0]? o going through all fairness constraints 
infinitely often; Fairm is the set of states in which Y cannot avoid a fair path. Note that the (r) operators 
can be computed using the [r] and -i operators, but can also be computed directly using the dual forms 
from the ones above. For example [(r)G0jj o = vZ.([0]? o UFair^j) nPre^(Z), where Pre^{Z) = 

Prem (Z) = {tf|3ar S enabled(s,V) such that \/a,ar Q a => img(s,a) C Z}. Z C S is the complement 
of the set Z C 5. 

The correctness of the model checking algorithm for ATLK F follows from Theorem Q] 
Theorem 1. For all states s G S, s \=j <p if and only if s G l<p} fa- 
Proof sketch. First, Reach^(P\,P2) = piY-Pi U (Pi nPrern(F)) computes the set of states in which T 
cannot avoid a finite path of states of Py to a state of Pi- We can prove it by induction over the computation 
of the least fix point. It is true by definition of the least fix point and the Pre^] operation. 

Then, for the [T]G0 operator, [[r]G0]£, = vZ.[0^ o nn /e FPre [r] (AtF.(Zn/)U([0l^nPr^ r] (F))) 
= vZ.l<p}f o nr)f £F Pre{ r ](Reach^(l(l)~lf- ,Zr\f)) computes the set of states in which T cannot avoid a 
fair path (i.e. going through each / G F infinitely often) that satisfies G(j). We prove it by induction over 
the computation of the greatest fix point and by using what has been proved just above. 

Thanks to this, we can easily prove that Fair^ = l[F]GtrueK computes the set of states in which T 
cannot avoid a fair path (it is just a particular case of the [F]G operator). 

Then, [F}X and [T]U operators compute the set of states in which T cannot avoid a successor in [0jj o 
in which T cannot avoid a fair path, respectively in which T cannot avoid a finite path through states of 
[0l]J o to a state of [02l/ o > in which T cannot avoid a fair path. In particular, the proof for [F]U directly 
follows from the proof for Reachm . 

Finally, the proof for the [T]W operator is similar to the one for [T]G operator. The proof of correct- 
ness of the algorithms for (r) operators follows from the proof for [r] operators, the duality of these 
operators and standard fix point properties. □ 

Model checking ATLK F po - basic algorithm A basic algorithm is presented in Algorithm [T] It relies 
on the model checking algorithm for ATLKj . It uses two sub-algorithms: Split and [-]]j Uraf> where 
strat is a strategy represented as a set of state/action pairs. The latter is a modified version of the 
algorithm described in the previous section with Pre^-)\ s trat replacing Pre^ where Pre ^\ strat {Z) = 
{s\3ay G enabled(s,T) such that (s,ai-) G strat A Va,ap C a ==^ img(s,a) C Z}, i.e., Pre^\ strat (Z) is 
Pre(y)(Z) restricted to states and actions allowed by strat. Furthermore, [.]j | 4 t ra r recursively calls 
on sub-formulae, instead of |.]^ . 

The Split algorithm is given in Algorithm |2] Split (S xActr) returns the set of uniform strategies of 
the system (a uniform strategy is represented by the action for group T allowed in each state, and this 
action needs to be the same for each state in the same equivalence class). 

Intuitively, Algorithm[T]computes, for each possible uniform strategy strat, the set of states for which 
the strategy is winning, and then keeps only the states s for which the strategy is winning for all states 
equivalent to s. 

Before proving the conectness of the basic algorithm, let's prove the correctness of the Split algo- 
rithm. 
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Algorithm 1: [(!>]£, 

Data: M a given (implicit) model, T a subset of agents of M, y an ATLK F po path formula. 
Result: The set of states of M satisfying (T)Y- 

sat = {} 

for st rat E Split (S x Act?) do 
winning = l{T)yf}f \arat 

sat = sat U {s € vwnmng|Vj' ~r s,s' € winning} 
return .ra? 



Algorithm 2: Split (St rats) 
Data: Sfra^ C 5 x Ac? r . 

Result: The set of all the largest subsets SA of Strats C5x Acfp such that no conflicts appear in 
SA. 

C = {(s,ar) € Strats\3(s' ,a' r ) E Strats s.t. s' ~r iAap^ a' r } 

if C = then return {Sf rafs} 

else 

(s,ar) = pick one in C 

£ = {(^',fl:p) € Strats\s' ~r 

A = {ar € Acf r |3(5,a r ) G E} 

strats = {} 

for ar G A do 

S = {{s' ,ar) G £"|a r = «r} 

5?rafs = strats L) Split (SL) (Strats\E)) 
_ return sfrafs 



Theorem 2. Split (Strats) computes the set of all the largest subsets SA of Strats C 5 x Ac?r ^«c/z that 
no conflicts appear in SA. 

Remark 1. A conflict appears in SACSx Ac?r if there exist two elements (s,ar) and (s',a' r ) in SA such 
that s' ~p s and a^ ^ a' r , i.e. there is a conflict if SA proposes two different actions in two equivalent 
states. 

Proof sketch of Theorem^ Split gets all the conflicting elements of Strats. If there are no such elements, 
then Strats is its own largest non-conflicting subset; otherwise, Split takes one conflicting equivalence 
class E and, for each of its largest non-conflicting subsets S — i.e. subsets of states using the same 
action — it calls Split on the rest of Strats augmented with the non-conflicting subset S. 

We can prove the correctness of Split by induction over the number of conflicting equivalence classes 
of Strats. If Strats does not contain any conflicting equivalence classes, Strats is its own single largest 
subset in which no conflicts appear. Otherwise, let's assume that Split (St art s\E) with E a conflicting 
equivalence class of Strats returns the set of all the largest non-conflicting subsets of Strats\E; then, by 
what has been explained above, Split returns the cartesian product between all the largest non-conflicting 
subsets of E and all the largest non-conflicting subsets of Strats\E. Because these cannot be conflicting 
as they belong to different equivalence classes, we can conclude that Split returns the set of the largest 
non-conflicting subsets of Strats. □ 
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The correctness of Algorithm [TJis then given by the following theorem. 
Theorem 3. [(r)ip]p computes the set of states ofM satisfying (r)\j/, i-e. 

v s es, s ei(r)y} F po iff S \= F po (r)xif. 

Proof sketch. First, Split (S x Actr) returns all the possible uniform strategies of the system, where a 
uniform strategy is represented by the only action allowed in each equivalence class of states — states 
equivalent in terms of the knowledge of T — , this action being the same for every state of the class. 

Indeed, the set of the largest non-conflicting subsets of S x Actr is the set of possible uniform strate- 
gies. A non-conflicting subset of S x Actr provides at most one action for each equivalence class of states, 
otherwise it would not be non-conflicting; second, a largest non-conflicting subset of S x Actr provides 
exactly one action for each equivalence class of states, otherwise there would be a larger subset giving 
one action for the missing equivalence classes and this subset would not be conflicting. Finally, a largest 
non-conflicting subset of S x Actr is a uniform strategy because it is exactly the definition of a uniform 
strategy: giving one possible action for each equivalence class. This thus ends the proof that Split returns 
the set of all possible uniform strategies. 

Second, winning = lr}Yif ¥\strat returns the set of states for which the strategy strut is winning. 
Indeed, it uses ATLK F () model checking algorithm, restricted to actions in stmt. It thus returns the set 
of states for which there is a (global) winning strategy in strat. As stmt is, by construction, a uniform 
strategy, winning is the set of states for which there exists a uniform winning strategy — in fact, it is strat 
itself. 

Finally, the set {s € winning^ s' ~r s,s' € winning} is the set of states s for which strat is a winning 
strategy for all s' ~r sat thus accumulates all the states s for which there is a winning strategy for all 
states indistinguishable from s. As this is exactly the semantics of the property, i.e. sat is exactly the set 
of states of the system satisfying the property, the proof is done. □ 

Improving the basic algorithm The first improvement proposed for the basic algorithm is the pre- 
filtering of states to the ones satisfying the property under ATLK F o ; we can filter them because if a state 
s does not satisfy (r)y under ATLK F Q , s cannot satisfy (r)y under ATLK F a . The second one is the 
alternation between filtering and splitting the strategies. Both improvements are aimed at reducing the 
number of uniform strategies to consider. The improved algorithm is presented in Algorithm [3] Using 
this algorithm, we can compute [[(r)i//j]p as Improvedl(r)Y} F \sxAct r - The intuition behind Algorithmic] 
is to start by computing the set of states satisfying the property and the associated actions (lineQ}, then 
get all conflicts (line [2]) and, if there are conflicts, choose one conflicting equivalence class of states and 
possible actions (lines [6] to [8]> and for each possible action ar, recursively call the algorithm with the 
strategies following ar (lines QTJ and IT2l > — i.e. split the class into uniform strategies for this class and 
recursively call the algorithm on each strategy. 

More in detail, Algorithm [3] returns the set of states satisfying the property in Stmts. So, to get the 
final result, we have to take all the states satisfying the property in S x Actr- Algorithm [3] uses the func- 
tion [[-l^Ura?.?- This function is a modification of the [.]j U ra fs function where actions are linked to 
states. More precisely, every sub-call to 1-} F or Fairer] is enclosed by StatesActionsr\ s t>-ats to get all en- 
abled actions in these states, restricted to stmts — StatesActionsr\ s trats{Z) = {(s,ar) € strats\s £ Z A«r £ 
enabled(s,F)} — , and Pre^r) \ s tmts is replaced by Pre a ^ \strats(Z) = {(s,ar) € strats\ar £ enabled{s,T) A 

\/a,a r Qa => img(s,a) C Z}. For example, l[r]G(j>} f '™\stmts = vZ.(StatesActions r \strats(l^} F U 
Fair[r]))nPre a ^\str ats (Z). 
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Algorithm 3: Improvedl(T)y\ F \ Stmts 



Data: M a given (implicit) model, T a subset of agents of M, y an ATLK F po path formula, 

Stmts QSx Act r . 
Result: The set of states of M satisfying (T)y in St rats. 

1 z = i(r) ¥ f fo ac \ Strats 

2 C = {(s,a r ) €Z\3(s',a r ) G Z such that s ~r i'A«r^ flp} 
ifC = 0then 

4 |_ return {s G 5|3ar € Actr s.t. V/ ~r s 5 (j',#r) € Z} 
else 



n 

12 



(5, ar) = pick one in C 
£ = {(j',4) GZ|j~ r j'} 
A = {a r G Act r \3(s,a r ) G £} 
5(3? = {} 

for ar G A do 

rtraf = {(j',a^) G£|ar = a r }U(Z\£) 
sa? = .ra? U Improved\(T) y\ F D \ stra t 
return sat 



Intuitively, StatesActionsr\ s trats(Z) returns all the states of Z with their enabled actions allowed by 
st rats and Pre a ^\ strats (Z) returns the states that can enforce to reach Z in one step, and the actions that 

allow them to do so, restricted to actions in strats. l(r)y} 1 j : " c \ str ats thus returns the states satisfying (F)\jf 
associated to the actions of strats that allow them to do so. 

The correctness of Algorithm |3]is given by the following theorem. 

Theorem 4. Improved\(T)\if\ F po \sxAct T computes the set of states ofM satisfying {r)\f/, i-e. 

Vs£S,s£ Improvedl(r)\iff po \sxAct r iff s ^ F po (T) \ff. 

Proof sketch. First, [(T) V^lj^l struts returns the set of states s (and associated actions) such that there 
exists a global strategy in Strats allowing T to enforce the property in s. This means that if a state/action 
pair is not returned, T has no global strategy to enforce the property from the given state by using the 
action given in the pair. By extension, there is no uniform strategy to enforce the property neither. Thus, 
only state/action pairs returned by l{r)\j/} F -" c \ strats have to be considered when searching for a uniform 
strategy in Strats. This also means that [(r) y\ F f" c \stmts filters Strats to winning global strategies; if the 
result is also a uniform strategy, all the states in the returned set have a uniform strategy to enforce the 
property. 

Second, Improved\(T)\lf\ F po \strats returns the set of states satisfying the property in Strats. We can 
prove this by induction on the number of conflicting equivalence classes of Strats: this is true if there are 
no conflicting classes because Line [T] computes a winning uniform strategy — as discussed above — and 
Line 0] returns the set of states for which the strategy is winning for all indistinguishable states. This is 
also true in the inductive case because ( 1) filtering with \(T) y\ F f" c \stmts doesn't lose potential state/action 
pairs and (2) the algorithm takes one conflicting class and tries all the possibilities for this class. 

The final result thus is correct since it returns the set of states s for which there is a uniform strategy 
in S x Actr that is winning for all states equivalent to s. □ 
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Complexity considerations Model checking ATL with perfect recall and partial observability is an 
undecidable problem |[T4l . while model checking ATLt r is a A P -complete problem [9]. ATLK F po subsumes 
ATLi r and its model checking problem is therefore Aj-hard. Algorithm Q] performs a call to [[-]]f for 
each uniform strategy: [[-]]f is in P, but in the worst case there could be exponentially many calls to this 
procedure, as there could be up to flier |-Ac?;|l Si uniform strategies to consider. 

4 Conclusion 

A number of studies in the past have investigated the problem of model checking strategies under partial 
observability and, separately, some work has provided algorithms for including fairness constraints on 
actions in the case of full observability. To the best of our knowledge, the issue of fairness constraints 
and partial observability have never been addressed together. 

In this paper we presented ATLK F a , a logic combining partial observability and fairness constraints 
on states (which is the standard approach for temporal and epistemic logics), and we have provided a 
model checking algorifhm.The proposed algorithm is similar to the one of Calta et al. Q. They also split 
possible actions into uniform strategies, but they do not provide a way to deal with fairness constraints. 

Finally, the structure of our algorithm is compatible with symbolic model checking using OBDDs, 
and we are working on its implementation in the model checker MCMAS fl2j . where fairness constraints 
are only supported for temporal and epistemic operators. 
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